Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

    Monday, December 1, 2025 In: Threat Research Print

    Date: 12/01/2025

    Severity: High

    Summary

    A compromised site and a lookalike domain worked together to deliver a double-extension RAR file masquerading as a PDF. The payload abused MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe and trigger hidden PowerShell stages via TaskPad commands. Layered obfuscation, a breached website, and password-protected archives reduced user visibility. A small .NET class hid malicious processes while a decoy document maintained a sense of normal interaction.The campaign’s methods strongly align with Water Gamayun, based on their known MSC EvilTwin exploitation and obfuscation traits. Dual-path infrastructure, window-hiding techniques, and specific social-engineering themes further support this attribution.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    belaysolutions.com

    belaysolutions.link

    IP Address : 

    103.246.147.17

    Hash :

    ba25573c5629cbc81c717e2810ea5afc

    f3d83363ea68c707021bde0870121177

    97e4a6cbe8bda4c08c868f7bcf801373

    caaaef4cf9cf8e9312da1a2a090f8a2c

    f645558e8e7d5e4f728020af6985dd3f

    e4b6c675f33796b6cf4d930d7ad31f95

    2546912941591b13e929b19c91a0f9c4d3982848

    a95854f54892a6472b9a452b295219f36084949d

    b04c9facc6ebaba88a8fbbe26ce379cb3355d703899dacfe589e736ab9096659

    e76fe4cbd4d0ec8d78bc05b03f6c159f36fd6cac26c3002373bf380b069949d8

    Filepath :

    /cAKk9xnTB/UnRAR.exe

    /cAKk9xnTB/as_it_1_fsdfcx.rar

    /cAKk9xnTB/doc.pdf

    /yyC15x4zbjbTd/ItunesC.rar

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "belaysolutions.link" or url like "belaysolutions.link" or siteurl like "belaysolutions.link" or domainname like "belaysolutions.com" or url like "belaysolutions.com" or siteurl like "belaysolutions.com"

    Detection Query 2 :

    dstipaddress in ("103.246.147.17") or srcipaddress in ("103.246.147.17")

    Detection Query 3 :

    md5hash IN ("ba25573c5629cbc81c717e2810ea5afc","f3d83363ea68c707021bde0870121177","97e4a6cbe8bda4c08c868f7bcf801373","caaaef4cf9cf8e9312da1a2a090f8a2c","f645558e8e7d5e4f728020af6985dd3f","e4b6c675f33796b6cf4d930d7ad31f95")

    Detection Query 4 :

    sha1hash IN ("2546912941591b13e929b19c91a0f9c4d3982848","a95854f54892a6472b9a452b295219f36084949d")

    Detection Query 5 :

    sha256hash IN ("e76fe4cbd4d0ec8d78bc05b03f6c159f36fd6cac26c3002373bf380b069949d8","b04c9facc6ebaba88a8fbbe26ce379cb3355d703899dacfe589e736ab9096659")

    Detection Query 6 :

    Resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("/cAKk9xnTB/UnRAR.exe", "/cAKk9xnTB/as_it_1_fsdfcx.rar", "/cAKk9xnTB/doc.pdf", "/yyC15x4zbjbTd/ItunesC.rar")

    Detection Query 7 :

    technologygroup = "EDR" and objectname IN ("/cAKk9xnTB/UnRAR.exe", "/cAKk9xnTB/as_it_1_fsdfcx.rar", "/cAKk9xnTB/doc.pdf", "/yyC15x4zbjbTd/ItunesC.rar")

    Reference:

    https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack 

    https://otx.alienvault.com/pulse/69264d24cbe30afec1cec15f


    Tags

    VulnerabilityAPTWater GamayunCVE-2025ExploitSocial EngineeringMalware

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.